D-Link is wrestling with a vulnerability in its DCS930L Wi-Fi camera that was privately disclosed by security company Senrio.
The flaw exposes the cameras to remote code execution, a Senrio report says.
CEO Stephen Ridley told Threatpost that his company is working with D-Link on remediation. D-Link, meanwhile, said in a statement emailed to Threatpost:
“Security is the highest priority for D-Link and we are proactively working with the source of the report since receiving the inquiry to ensure that any vulnerabilities discovered are addressed. Once information and testing is completed, additional information will be made available to customers online at www.mydlink.com.”
The vulnerability is a stack overflow in software running on the camera, specifically a service that processes remote commands, Senrio said in its report.
“The vulnerability allows code injection and causes a password reset, granting the attacker remote access to the camera feed,” Senrio said. “Thus, even if users create a strong password, this type of vulnerability can override them.”
The researchers believe that given where the flaw was found, its likely this vulnerability could be present in other product lines using the same software subsystem.
An attacker on the same Wi-Fi network could find and exploit the flaw in the camera. Ridley said this is primarily a consumer device, but he’s aware of some companies that will use the cameras inside a network operations center.
“The device itself is another network device,” he said. “There are a lot of edge use-cases we’re seeing. Because of the nature of these devices, two things are happening: People are putting them in places where they need to access them over the Internet. And they’re connecting them to the network accessing the feed from places they shouldn’t be relative to the security of the network such as the public Internet.”
Attackers, he said, can use exploits as a initial intrusion onto a network.
“They pose a threat to network security and operational security,” Ridley said.
Complicating matters, as with other embedded and connected devices, is the difficulty in updating them.
D-Link, for example, does provide an interface where its devices can fetch firmware and software updates from the Internet. Other so-called Internet of Things devices don’t have the same types of update features, and require instead manual installation of firmware updates.
“Most of these devices are not secure, and if patches are available, they hardly ever make it to devices in the field,” Ridley said.